Technology Project 2: Better Browsing Control

In your first technology project you created a GPG key and then uploaded it to the public keyservers, making it possible for you to improve your communication privacy by sending and receiving encrypted email. For this project you will be setting up a secure connection between your computer and the mainframe computers at Columbia, then you will be instructing your web browser to route your web traffic through this secure connection. This will accomplish two things. First, you will block other users on your network, or the ISP on your local internet connection, from snooping on your network traffic. This means that other coffee shop customers sitting near you cannot hijack your connection to various web sites and that no one between your computer and the Columbia servers will be able to tell what sites you are browsing. Second, by sending your web traffic through the Columbia mainframe you will be mixing it with the web traffic of others at the University, making it much more difficult to determine whose traffic is whose.

Step 1: Connect to Columbia

In this step you are going to create a secure connection or "tunnel" to the Columbia Unix cluster. You can use this same general procedure with any other machines to which you may have access, whether that is a box you leave at home, a web hosting account to run a web site, or anyone else who gives you ssh access. All you need is an SSH client program.

OS X (Mac) or Linux users

If you use the OS X or Linux operating systems, you are in luck! A standard ssh client is already installed on your machine. On Linux machines you should be able to find a program called "terminal" or "command line" in you standard application menu. On OS X you can find the terminal program in your Applications directory under "Utilities". The terminal program is a general purpose text environment for running any number of different programs and commands, of which ssh is only one. While a text-based environment may not suit all tasks, you will see in this case how it enables you to accomplish some tasks very simply that would otherwise require multiple programs and steps.

Once you have opened the terminal application simply enter this command "ssh -D 7070 uni@cunix.columbia.edu" where "uni" is your own UNI, e.g. abc1234. When you hit enter it will try and connect to the Columbia CUNIX cluster. Assuming your network connection is working, the next thing you see will be a message asking if you wish to accept the host key for the CUNIX machine. Hit enter to accept it and then you will be asked for your Columbia UNI and password. Log in normally and it should complete setting up the tunnel and return you to a blinking cursor with no further chatter. Now you are logged in to the CUNIX machines. From here you could run other programs on the CUNIX machines, but that would be for another lesson. For this exercise, simply leave your terminal window open and move on to step two.

Windows users

Windows, unfortunately, does not come with an ssh client by default so we need to download and install one before we can connect to the Columbia computers with it. The client we are going to install is called "!PuTTY" and can be downloaded from here. Once you have downloaded and run the installer, launch PuTTY. Now we need to configure PuTTY to connect to the Columbia CUNIX mainframe. CuIT has instructions for this here, however these instructions seem to be a bit out of date and refer to a version of PuTTY that is pre-configured to connect to CUNIX, which is no longer available from their download page. Should anyone find where that version is available, please say so in the comments on this page. Instead we will go through a general PuTTY configuration.

Your goal here is to create a new session, enter the Columbia server information, and save the session for future use. Follow these steps:

1) Open PuTTY.

2) Where it says "Host Name (or IP address)" enter "cunix.cc.columbia.edu"

3) Under "Saved Sessions" enter "Columbia" or "CUNIX" or any other name that will help you remember what this connection is for later.

4) Under the "Category" menu on the left, click on the "Connection" menu list and then the "SSH" menu underneath it.

5) Click on "Tunnels" in the "SSH" menu.

6) Under "Add new forwarded port:" enter 7070

7) Leave the "Destination" field blank but select the 'Dynamic' option underneath it.

8) Click the "Add" button to add this port.

9) Click "Save" to save all these settings.

10) Click on "Open" to open your new connection to the CUNIX servers.

11) Enter your UNI and password when prompted.

12) Once connected the tunnel is open and you can move to step two. After you are finished using the tunnel, type logout and press Enter.

Step 2: Tell your browser to use the secure tunnel

As part of connecting to CUNIX in step one we told ssh to set up a take an address or "port" on your local machine and forward it to the CUNIX machine that you logged into. In particular we forwarded port "7070". This created a "SOCKS proxy," between your machine's port 7070 and the Columbia computer. We now want to tell your web browser to send all its requests for websites through the proxy port. The particular way to do this depends on which browser you are using.

As a first step for all browsers visit https://duckduckgo.com/?q=what+is+my+ip+address and write down the IP address associated with your browsing. Later, when you are using the proxy, you can return to that page and observe that your apparent IP address has changed.

Firefox

In Firefox, open your "Preferences" window. That should either be under the "Edit" or the "Tools" menu. In the Preferences window, click on "Advanced" at the very top then on the "Network" tab underneath it. The first item there is "Connection: configure how Firefox connects to the web", which is what you want to do. Click on the "Settings" button right next to that text.

You should now have a new popup window named "Configure Proxies to Access the Internet". You are almost there. Click on the "manual proxy configuration" option and then enter the following settings. For "SOCKS Host" enter "localhost" and for "Port" right next to it enter "7070".

You're done. You can close those configuration windows and you should be ready to check your IP address again with https://duckduckgo.com/?q=what+is+my+ip+address. If the apparent IP address known to the server has changed, you are proxying your web traffic. If not, something has gone wrong. Take a look at the proxy settings again. Make sure that manual settings box is selected and check that your ssh connection is still running in either PuTTY or the terminal.

When you are back to a network you trust and wish to stop proxying your traffic, simply return to the same configuration menu in Firefox and change "Manual proxy configuration" back to "no proxy configuration". Otherwise Firefox will continue trying to access the web through your proxy even after you are no longer connected, which will lead to an inability to access any websites.

If you find this process is too cumbersome for frequent use, you can consider third party browser extensions like FoxyProxy, to shortcut the process.

Chrome

Chrome has no capability to set proxy settings natively, so you need to rely on third party plugins to make any proxy connection without having to change your system-wide network settings. Thankfully, there is a free software plugin called proxy-switchy that you can use. Download and install that then give it the following settings:

  • Protocol: Socks5
  • Host: 127.0.0.1
  • Port: 7070

Internet Explorer and Safari

Both of these browsers are so tightly embedded in the operating system that the only way to use a proxy with them is to change the system-wide network settings. If you wish to do that the settings to use should be:

  • Protocol: Socks5
  • Host: 127.0.0.1
  • Port: 7070

but I offer no guarantees.

Firefox is the simplest browser to use when proxying web traffic. If you are not already using it, you could consider downloading and using it specifically for proxyed connections. That way you can simply leave the proxy settings in Firefox on all the time and use whatever other browser you wish for non-proxyed web activity.

Step 3: Proof

Once you have successfully proxied your web connection through the CUNIX machines you are ready to demonstrate your success here. While your browser is still proxied simply add a comment to this page saying that you are finished. The comment will look no different to you but the logs for this website, like the logs of every website, will record your IP address. If you are successfully using your new proxy all we will see is a connection from one of the CUNIX machines. Otherwise we will see exactly where else you are connecting from.

Finished. Proxy Switchy did not work for my computer for some reason. I used Proxy SwitchySharp? instead. -- LeonHuang - 25 Mar 2017

Finished

-- JudyWang - 22 Mar 2016

Finished

-- AlexiaBedat - 22 Mar 2016

Finished

-- JakeLewis - 26 Mar 2016

Finished

-- MalcolmEvans - 29 Mar 2016

It works well.

-- PeterHong - 30 Mar 2016

I really hope I did this correctly.

-- LizzieOShea - 30 Mar 2016

Finished

-- BrandonNguyen - 30 Mar 2016

Finished.

-- LeoFarbman - 01 Apr 2016

Finished

-- AlexanderGerten - 01 Apr 2016

Finished!

-- TimothyKim - 04 Apr 2016

Finished.

-- AlanWong - 04 Apr 2016

Finished

-- KarmanLucero - 06 Apr 2016

Finished

-- RasheedAhmed - 06 Apr 2016

Finished

-- ChristopheWassaf - 06 Apr 2016

Finished!

-- DanielShiner - 10 Apr 2016

Finished.

-- GreggBadichek - 10 Apr 2016

Finished.

-- BriannaCummings - 13 Apr 2016

Finished.

-- SolomonRotstein - 13 Apr 2016

Finished

-- DannyStemp - 25 Apr 2016

Hope I did this correctly

-- CorneliusRange - 27 Apr 2016

I am more confident now! (On firefox)

-- CorneliusRange - 27 Apr 2016

Finished

-- ElizabethAkinyemi - 27 Apr 2016

For what it's worth, you can do the same with Firefox (and maybe other browsers) on an Android machine as well. Instructions are here: http://www.devineloper.com/2013/08/28/setup-socks-proxy-android-without-root/. The SSH client 'ConnectBot' should be available on the F-Droid repository.

-- GreggBadichek - 06 May 2016

Finished.

-- AndrewButler - 19 May 2016

Finished

-- EthanThomas - 19 Mar 2017

Finished

-- StephanieKato - 19 Mar 2017

Finished.

-- MalcolmEvans - 20 Mar 2017

Finished.

-- ShayaAfshar - 21 Mar 2017

Finished.

-- OrBelkin - 22 Mar 2017

Finished. I had trouble with the extension proxy-switchy. I had better luck with Proxy SwitchySharp? .

-- AndrewWatiker - 22 Mar 2017

Finished. I had trouble with Chrome, but got it to work in Firefox...

-- TikRoot - 22 Mar 2017

Finished.

-- AmandaFerber - 22 Mar 2017

Finished.

-- HyunKyungLee - 24 Mar 2017

In OSX, Chrome actually lets you change the proxy settings directly (without an extension): File --> Preferences --> "Show Advanced Settings" --> Under the "Network" heading click "Change Proxy Settings"

From there just follow the above instructions for a Socks proxy!

-- TikRoot - 25 Mar 2017

Finished

-- SunghyeOh - 27 Mar 2017

Finished.

-- WhitneyLee - 29 Mar 2017

Finished.

-- DanielleTomson - 29 Mar 2017

Finished

-- DavidHammond - 29 Mar 2017

Finished.

-- EveShabto - 31 Mar 2017

Finished

-- ErensuAltan - 02 Apr 2017

Finished

-- ZebulunJohnson - 03 Apr 2017

Finished

-- AudreyAmsellem - 04 Apr 2017

Finished

-- TracyRizk - 05 Apr 2017

Finished

-- ShayBanerjee - 05 Apr 2017

Relieved

-- CorinneShim - 05 Apr 2017

Finished

-- ChenyeNi - 14 Apr 2017

Proof

-- AlexanderHoffman - 16 Apr 2017

Proof

-- JessicaCorey - 01 May 2017

Finished

-- JulianWilliams - 03 May 2017

Finished

-- ChristopherPistritto - 05 May 2017

Finished

-- MichaelWright - 06 May 2017

Finished

-- MayuArimoto - 07 May 2017

Finished. -- JBO

-- JohnOMeara - 09 Oct 2017

I believe this works. I am not sure if I successfully configured Switchy, but I also followed the Chrome instructions provided by TikRoot? , above.

-- JohnOMeara - 09 Oct 2017